Business Case: Lax Security at LinkedIn Exposed

On any social network, most users mistakenly believe that their privacy is only as good as the privacy of their most careless—or temporary—friend. In fact, weak passwords and hackers can deprive users of all privacy.

When the business social networking site LinkedIn was hacked ( Figure 5.13 ), hackers stole 6.5 million passwords and e-mail addresses. This data breach was discovered by IT security experts when they found millions of LinkedIn passwords posted on a Russian underground website ( Figure 5.14 ). Experts also determined that a hacker named Dwdm was asking underground members for help in cracking the stolen passwords. Within only 2 days, most passwords were cracked. Why were LinkedIn’s passwords cracked so quickly? The simple answer is that LinkedIn was using an outdated encryption method instead of up-to-date industry-standard encryption. As a result, members’ passwords were really only camouflaged—and crackable.

FIGURE 5.13 LinkedIn data breach overview.

FIGURE 5.14 LinkedIn did not discover its own data breach and, when informed of it, delayed notifying members.

 LinkedIn Criticized for Bad Data Security

What could hackers do to your online accounts if they had your passwords for 48 hours and you did not know? That is what LinkedIn allowed to happen by waiting 2 days before notifying members that their passwords had been stolen. The company took a lot of criticism for not notifying members via Twitter or Facebook immediately. According to the chief executive of the Public Relations Consultants Association, Francis Ingham, LinkedIn ignored the first rule of crisis management, which is to be first to tell your customers.

What surprised customers and IT security experts was that a company that collects and profits from vast amounts of data had taken a negligent approach to protecting it. Figure 5.15 explains why it was surprising and alarming that LinkedIn’s password protection was weak.

FIGURE 5.15 Three reasons why LinkedIn’s underinvestment in data security did not make business sense.

 E-mail Addresses are Universal Usernames

At most e-commerce and social sites, usernames are e-mail addresses—making them our universal username for online accounts. If the e-mail is a work account, then everyone also knows where we work and our login name. Therefore, knowing users’ usernames and passwords provides authorized access to corporate accounts with almost no risk of being detected. Hackers attacked LinkedIn to gain access to over 161 million members’ credentials as a means to gain access to much more valuable business networks and databases.

 Business Risks and Collateral Damage

The hack caused the following business risks and collateral damage.

• Takeover of members’ other accounts by hackers, fraudsters, and other criminals. Hackers know that people reuse passwords; once their LinkedIn accounts are linked to Facebook and Twitter, far too much information may be revealed. Knowing where people worked and their e-mail accounts allowed hackers to quickly use the stolen LinkedIn passwords to log in to corporate accounts, online bank accounts, and so on to steal more data or transfer funds.
• Damage to LinkedIn’s biggest revenue source—its advertising business. LinkedIn’s financial success is tied to its advertising revenues, which in turn are based on the number of active members and membership growth.
• Fines for violating privacy laws and regulations. Any company exposing the confidential data of customers or employees faces steep fines. Regulators impose harsh penalties for breaking privacy laws and not taking reasonable care to defend against data breaches. Strict data privacy laws in states such as Massachusetts and California could keep LinkedIn fighting legal battles for years.
• Cleanup costs. The cleanup cost LinkedIn nearly $1 million and another $2–$3 million in upgrades. Forensic work on the password theft cost another $500,000 to $1 million.

 Data Security: A Top Management Concern

Data security is a senior management concern and responsibility. It affects a company’s operations, reputation, and customer trust, which ultimately impact revenue, profits, and competitive edge. Yet, defenses that could help to prevent breaches are not always implemented.

Some experts argue that senior management continues to skimp on basic protections because computer security is not regulated—that is, until a business suffers a major crisis. After the data breach, LinkedIn implemented improved password storage encryption, hired private security and forensics experts, and called in the FBI to help investigate the security breach.

 Comparison with Other Cyberattacks

While 6.5 million leaked passwords represent a serious breach, it affected a relatively small percent of the more than 175 million members LinkedIn had at that time. Overall, the LinkedIn breach, while somewhat costly, did not do as much harm as those experienced by other hacked companies such as Global Payments, Sony, and Certificate Authority DigiNotar, which were literally hacked out of business.

 Just the Beginning

Four years after the data breach, the number of released account details was found to be 117 million rather than 6.5 million. In May, 2016, Russian hacker “Peace,” who sold the Yahoo data breach information in the Opening Case, made available for purchase LinkedIn account details on a marketplace in the Dark Web for $2,300. In response to the massive breach of additional accounts, LinkedIn required the affected accountholders to change their passwords and urged all other users to change theirs as well. In addition, LinkedIn spent about $4 million repairing and upgrading their security infrastructure to combat future leaks (Hackett, 2016b).

Questions

1. LinkedIn does not collect the credit card or other financial account information of its members. Why then would profit-motivated hackers be interested in stealing LinkedIn’s stored data? What data would hackers be most interesting in accessing?
2. Companies are often slow to self-detect data breaches so a cyberattack can occur without a company even knowing it has a problem. What effect do you think LinkedIn’s failure to self-detect its massive data breach had on its popularity and credibility?
3. Most corporate security incidents are uncovered by a third party, like a security firm, that picks up on evidence of malicious activity. Why do you think IT security experts and not LinkedIn discovered the data breach?
4. Explain why LinkedIn’s lax approach to members’ information security and weak passwords was very surprising to members and information security professionals.
5. Identify and evaluate the actual and potential business risks and damages from LinkedIn’s data breach.
6. In your opinion, was LinkedIn negligent in protecting its main asset? Explain.

Sources: Compiled from Franceschi-Bicchierai (2016), Hackett (2016b), and Ponemon Institute (2017).